Pressure Cooker Flap Traces To Employer, Not Google

Worried your Google searches are being watched by the authorities? Forget the NSA and start worrying about privacy closer to home.

Google Maps Updated: 10 Cool Features

(click image for larger view)

A Long Island, N.Y., woman's account about being visited by authorities because of her Google searches about pressure cookers says volumes about privacy fears, but very little about what actually transpired. Call it the Snowden Effect.

Michele Catalano, a writer who has written for Forbes and other publications, published an account on Medium of being visited several weeks ago by "six agents from the joint terrorism task force" due to what she "imagined" was the result of "[her] son's reading habits combined with [her] search for a pressure cooker and [her] husband's search for a backpack set ..."

Along with other news outlets, The Guardian published a story based on Catalano's account with a headline suggesting the police visit arose from online search activity: "New York woman visited by police after researching pressure cookers online." But that link proved difficult to establish on Thursday afternoon, because the relevant law enforcement agencies were slow to acknowledge that any investigation actually took place.

Catalano initially refused via Twitter to respond to media inquiries seeking clarification, though she did subsequently insist, "I didn't make it up." She did not respond to an emailed request for comment.

The Suffolk County, N.Y., Police Department Thursday afternoon referred a request for comment to the FBI. The FBI's New York Office did not immediately respond to a request for comment, but the agency did deny Catalano's claim to The Washington Post.

The FBI told to The Washington Post that officers from the Nassau County, N.Y., Police Department visited the woman's home.

Yet, a spokeswoman the Nassau County Police Department, reached by phone, denied that. "We were not at the house and we didn't conduct an investigation," a spokeswoman in the department's public information office said.

In a Google+ post, CNET correspondent Declan McCullagh suggested a more likely explanation for government scrutiny would be public posts, such as this image of M-66 firecrackers. Catalano appears to have posted it to Flickr in 2008 and more recently to her Facebook page.

Google declined to comment, but the company has a well-documented policy for handling law enforcement requests for information. It seems unlikely Google would provide user search history information without enough evidence to sustain a warrant.

Lurking in the background is the tinfoil-hat explanation: The NSA tipped off local authorities.

The truth turns out to be rather more prosaic: Thursday evening, the Suffolk County Police Department emailed a statement to TechCrunch in response to inquiries about Catalano's post indicating that it had received a tip from a local computer company about a former employee's online searches about backpacks and pressure cookers and that it had visited the subject's home to ask about the suspicious searches. As of 8:30 a.m. ET Friday, the department had not published the release on its website.

TechCrunch has identified Catalano's husband as Todd Pinnell and the company where he was employed as Speco Technologies. It's not immediately clear whether Catalano's search for a pressure cooker was made through Pinnell's work computer, though that would make more sense if Pinnell had brought a work-issued device home.

Catalano subsequently published a clarification: "We found out through the Suffolk Police Department that the searches involved also things my husband looked up at his old job. We were not made aware of this at the time of questioning and were led to believe it was solely from searches from within our house."

In short, it appears that given the heightened vigilance following the Boston Marathon bombing, someone in IT was paying attention and alerted authorities.

The irony in all this is Catalano's lament about her lack of privacy, which her widely covered post has all but eradicated.

"This is where we are at," she wrote in her initial post. "Where you have no expectation of privacy. Where trying to learn how to cook some lentils could possibly land you on a watch list. Where you have to watch every little thing you do because someone else is watching every little thing you do."

When I first heard about this, I figured the FBI hadn't shown up on the basis of Google searches alone. For one thing, if every computer whose Internet search histories include "pressure cooker" and "backpack" warranted an in-person investigation, the government would run out of resources in about 10 minutes.

There simply aren't enough agents to act on so little information. Think how much time the authorities would waste investigating every grad student who looked at extremist sites while researching a dissertation on terrorism and foreign policy. Ditto for the wannabe screenwriter who uses Google to research bomb-making techniques so he can add authenticity to his next action movie plot.

So even if Google had been involved (which it wasn't), I never bought that the authorities would have acted on so little. That's not to say we shouldn't worry about privacy, or that we we have nothing to fear as long as we have nothing to hide. But the original story just seemed fishy.

Sounds like an old Twilight episode (for those who recall the TV series). Nassau County was there, says FBI. No we weren't, try the FBI. We weren't, try Suffolk County. No, not here try the NSA. Who? Are we certain it isn't just a slow Friday or if Ms. Catalano was visited by anyone (temperature was high in that area of the country wasn't it). Blogging has certainly made it simpler for anyone to get their 15 minutes and created many a virtual coffee shop. :-)

Becca--No, it wasn't several family members. Just the husband, on a work computer. (Or, at least, all the searches were on the work computer. If he'd brought it home, perhaps another family member used it.) The ex-employer called the cops.

What I find most interesting is how a random collection of Google searches conducted by several family members on different devices triggered the alarm as easily as one person doing it all on a single laptop. This story gives us some idea as to the data storage and the software smoothly connecting these searches, it really is mindblowing.

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.